Skip to content

CIS AWS Benchmark v6.0.0

Best for: Any AWS shop that needs a recognized configuration baseline. This covers enterprises whose customers demand evidence of cloud hardening, teams pursuing SOC 2 or FedRAMP (CIS controls provide supporting technical evidence but don't satisfy all required safeguards on their own), and regulated industries like financial services and healthcare that treat CIS as an accepted hardening standard. No size or revenue threshold.

Mandatory?Voluntary security baseline
Who validates?Self-assessment or third-party
RenewalNo fixed cycle
ScopeAWS cloud environments; three Implementation Groups (IGs)

๐Ÿ› Center for Internet Security (CIS) ยท CIS AWS Benchmark v6.0.0 Official source โ†’

Get Started

module "..." {
  source  = "cisv600.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • CloudTrail Logging Configuration: Runs controls checking multi-region trail enablement, log file validation, KMS encryption of trail logs, S3 data event logging for read and write operations, and access logging on the CloudTrail destination bucket. Covers 10 of the CloudTrail-related controls in the benchmark.
    • EBS Encryption at Rest: Checks that EBS encryption by default is enabled at the account level, that attached volumes are encrypted, and that all EBS volumes (attached or not) use encryption. Three controls covered.
    • EC2 Instance Security Configuration: Validates that EC2 instances have IAM profiles attached (with additional scrutiny for publicly accessible instances) and that IMDSv2 is enforced. Three controls covered.
    • AWS Config Monitoring: Verifies that AWS Config is enabled across all regions and that the configuration recorder has no failed log deliveries. Two controls covered.
    • Account-Level Security Settings: Checks whether a security alternate contact is registered on the AWS account. Programmatic verification of contact registration status.

  • What you handle

    • CloudTrail Logging Configuration: Log retention policies, CloudWatch alarm configuration for specific API calls, and the investigation process when suspicious activity surfaces in logs are all yours to define. So is the incident response workflow triggered by log findings.
    • EBS Encryption at Rest: KMS key selection (AWS-managed vs. customer-managed), rotation schedules, and migrating any pre-existing unencrypted volumes to encrypted replacements.
    • EC2 Instance Security Configuration: The IAM policies attached to instance profiles need to follow least privilege, which requires reviewing what permissions each role grants. Also verify that application code doesn't rely on IMDSv1 before flipping the enforcement switch.
    • AWS Config Monitoring: Config rules beyond the baseline, compliance dashboard reviews, and SNS notifications for configuration drift are outside what automation covers here.
    • Account-Level Security Settings: Actually populating the contact fields with valid, monitored email addresses and phone numbers. Keeping contact information current when staff change. These are manual data entry tasks that cannot be fully automated.

Controls by Category

Data Protection - EBS Encryption (2 controls)

Most EBS findings here aren't about whether encryption by default is toggled on. It's the older volumes created before that setting was enabled that trip organizations up. Remediation means creating encrypted snapshots and replacing the originals, which takes real time in production environments.

Attached EBS volumes should have encryption enabled compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module

Identity and Access Management - EC2 (2 controls)

Instance profiles and IMDSv2 enforcement are the two things assessors focus on here, with extra scrutiny on publicly accessible instances. For IMDSv2, check that HttpTokens is set to 'required' in the instance metadata options. Legacy instances still allowing IMDSv1 are a common finding and a real exposure: SSRF vulnerabilities can be used to steal instance credentials via the metadata service.

EC2 instances should have IAM profile attached compliance.tf module EC2 instances should use IMDSv2 compliance.tf module

Logging - CloudTrail Configuration (3 controls)

Auditors confirm at least one multi-region trail captures both read and write management events, that log file validation is enabled to detect tampering, and that trail logs are encrypted with a customer-managed KMS key. A frequent gap: organizations have a trail enabled but it only covers one region, or log file validation was never turned on.

At least one enabled trail should be present in a region CloudTrail trail logs should be encrypted with KMS CMK CloudTrail trail log file validation should be enabled
Additional Controls (20)

AWS IAM (4)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

Amazon EC2 (1)

Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module

Amazon EFS (2)

EFS file system encryption at rest should be enabled compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module

Amazon RDS (7)

RDS DB clusters should have automatic minor version upgrade enabled RDS DB clusters should be configured for multiple Availability Zones compliance.tf module RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS DB instances should prohibit public access compliance.tf module

Amazon S3 (5)

S3 bucket MFA delete should be enabled compliance.tf module S3 buckets object logging should be enabled S3 buckets should prohibit public read access compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module

  • CIS AWS Benchmark v4.0.0 โ€” ๐ŸŸข High overlap (72%)

    CIS v4.0.0 is an earlier major version. The immediate predecessor to v6.0.0 is v5.0.0. v6.0.0 retains many v4.0.0 era controls but adds newer requirements around IMDSv2 enforcement, account contact management, and expanded S3 data event logging. Organizations already compliant with v4.0.0 will still need to review incremental changes introduced in v5.0.0 and v6.0.0.

  • AWS Foundational Security Best Practices โ€” ๐ŸŸก Medium overlap (55%)

    AWS Foundational Security Best Practices (FSBP) partially overlaps with CIS v6.0.0 on CloudTrail, encryption, and Config controls. FSBP includes broader service coverage (Lambda, RDS, ECS) that CIS v6.0.0 does not address, while CIS includes account-level controls that FSBP skips.

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (30%)

    CIS AWS controls map to a subset of NIST 800-53 Rev 5, primarily the AU (Audit and Accountability), SC (System and Communications Protection), and AC (Access Control) families. NIST 800-53 is far broader, covering organizational policy, physical security, and personnel controls that CIS does not address.

Frequently Asked Questions

Does CIS v6.0.0 apply to my organization?

If you run anything on AWS, yes. CIS benchmarks are voluntary, not regulatory mandates. However, auditors in SOC 2, FedRAMP, PCI DSS, and HIPAA assessments routinely reference them as evidence of a hardened baseline, and many enterprise procurement questionnaires ask directly whether CIS benchmarks are followed. There is no revenue or size threshold.

How does v6.0.0 differ from v4.0.0?

v6.0.0 adds controls for IMDSv2 enforcement on EC2 instances, account-level security contact registration, and expanded S3 object-level logging (separate read and write event controls). Several existing controls have updated audit procedures reflecting current AWS console and CLI interfaces. If you passed v4.0.0, expect to remediate a handful of new controls, primarily around instance metadata and account settings.

Can I get certified against CIS benchmarks?

No. CIS does not offer a certification program. You run assessments using tools like Powerpipe or CIS-CAT Pro, produce evidence reports, and those reports are consumed by auditors or customers as supporting documentation within a broader compliance program like SOC 2 or ISO 27001.

How long does initial remediation take?

For a single AWS account with moderate complexity, expect 2 to 4 weeks. CloudTrail and Config controls can be fixed in a day with Terraform. EBS encryption takes longer if you have existing unencrypted volumes that require snapshot, encrypt, and replace workflows. IMDSv2 enforcement requires application testing to confirm nothing depends on v1. Multi-account environments using AWS Organizations will take proportionally longer but benefit from deploying fixes via SCPs and StackSets.

What about the MFA delete requirement on the CloudTrail S3 bucket?

This is the single most operationally difficult control in the benchmark. MFA delete can only be enabled by the root user via the AWS CLI, not the console, and requires a hardware or virtual MFA device registered to the root account. Many organizations document a compensating control (versioning plus bucket policy restrictions) rather than enabling MFA delete, because it complicates legitimate bucket lifecycle operations. Discuss the approach with your auditor before implementation.